Re: CRL bug?
On Tue, Aug 17, 2004, Joseph Bruni wrote: > I have a server that runs with many (1500) long-duration SSL connections. I am using > CRLs and have the CRL checking enabled when I'm building my SSL_CTX using the > following code: > > X509_STORE* store = SSL_CTX_get_cert_store(ctx); > if ( !store ) { > ERR_print_errors_syslog(LOG_ERR); > throw std::runtime_error("SSL_CTX_get_cert_store"); > } > > X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); > if ( !lookup ) { > ERR_print_errors_syslog(LOG_ERR); > throw std::runtime_error("X509_STORE_add_lookup"); > } > if (X509_load_crl_file(lookup,"crl.pem", > X509_FILETYPE_PEM) != 1) > { > ERR_print_errors_syslog(LOG_ERR); > throw std::runtime_error("X509_load_crl_file"); > } > > X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK); > > > The problem is that after running for several hours, all new connections start > getting rejected with a "certificate revoked" error. The actual error message also > shows that the RSA signature on the CRL has gone bad. Restarting the system or even > causing a rebuild of the SSL_CTX allows things to proceed. > > Are there any known issues in 0.9.7d on OS X that might cause the CRL object to > become corrupt? > Nothing I know of. The CRL might expire which would cause errors but not certificate revoked or signature errors. Steve -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: publick key
You can easily extract the public key from the private key with 'openssl rsa -pubout'. To get the key from the certificate, use 'openssl x509 -pubkey'. DS -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of ULL Lafayette Sent: Tuesday, August 17, 2004 9:45 AM To: [EMAIL PROTECTED] Subject: publick key Hi all, I am a new user. I have setup a CA as per the documentation in the openssl website. But I don't understand how to display only the public key from the certificate. Is there any command line option to output the public key from the certificate to any file. Please help. Thanks in advance Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_connect returns SSL_ERROR_ZERO_RETURN for SOCKS4/5
Hi *! I have an application (OS MS Windows) that needs to speak https even if it is behind SOCKS4/5 proxy. I am using for OpenSSL for the SSL part & my code for using OpenSSL is taken from the file "\demos\ssl\cli.c". My problem is that when I connect via a SOCKS4/5 proxy (after doing the auth & stuff needed to connect via the proxy) I call "SSL_connect" and most of the time i don't get any errors and the connection is made successfully & i can send/recv data fine. But sometimes (like 20%) the SSL_connect takes quite a while and returns with an error. "SSL_get_error" tells me that its "SSL_ERROR_ZERO_RETURN" (its always this same error). I get this above behaviour only for connecting from SOCKS proxy. I am not sure if I have to do something different when I am connecting via a proxy. Any comments/suggestions are most welcome. Thanks for your time, Regards, Usman. _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
CRL bug?
I have a server that runs with many (1500) long-duration SSL connections. I am using CRLs and have the CRL checking enabled when I'm building my SSL_CTX using the following code: X509_STORE* store = SSL_CTX_get_cert_store(ctx); if ( !store ) { ERR_print_errors_syslog(LOG_ERR); throw std::runtime_error("SSL_CTX_get_cert_store"); } X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); if ( !lookup ) { ERR_print_errors_syslog(LOG_ERR); throw std::runtime_error("X509_STORE_add_lookup"); } if (X509_load_crl_file(lookup,"crl.pem", X509_FILETYPE_PEM) != 1) { ERR_print_errors_syslog(LOG_ERR); throw std::runtime_error("X509_load_crl_file"); } X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK); The problem is that after running for several hours, all new connections start getting rejected with a "certificate revoked" error. The actual error message also shows that the RSA signature on the CRL has gone bad. Restarting the system or even causing a rebuild of the SSL_CTX allows things to proceed. Are there any known issues in 0.9.7d on OS X that might cause the CRL object to become corrupt? What is a good lifespan for a SSL_CTX? Should I rebuild it every six hours or something? I'm not using sessions. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
publick key
Hi all, I am a new user. I have setup a CA as per the documentation in the openssl website. But I don't understand how to display only the public key from the certificate. Is there any command line option to output the public key from the certificate to any file. Please help. Thanks in advance Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage!
RE: OpenSSL 0.9.7d WIN - IA64 port
Hi Richard. thanks for your reply. In my experiments so far, I have seen the messages about size_t and unsigned long. This is the one that worried me some. How can I watch for news about this work? Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Levitte - VMS Whacker Sent: Tuesday, August 17, 2004 4:04 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: OpenSSL 0.9.7d WIN - IA64 port In message <[EMAIL PROTECTED] mcast.net> on Mon, 16 Aug 2004 17:41:29 +, [EMAIL PROTECTED] said: d.mclellan> Hi: I'm now investigating build OpenSSL -0.9.7d on a WIN d.mclellan> IA64 architecture machine. Has anyone had any experience d.mclellan> with this, or is there any active work in progress to d.mclellan> support WIN IA64 platforms? d.mclellan> Thanks very much. The absolutely biggest problem is that size_t is 64 bits while unsigned long is 32 bits. This leads to a ton of warnings/errors concerning size differences when OpenSSL uses unsigned long, unsigned int or int for things that should really be size_t. There's a branch where work on this is done, although very slowly (at least for the moment). If I didn't have to spend time chasing down finances to survive, that would be one of those things I'd work on, as it also concerns a favorite O/S of mine, VMS. - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Any issues with WinXP SP2?
Lucius Millinder wrote: Know where I can get the url:// for sp2? Here you can find the download area for XP-SP2 (english only for now...) http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx Lucius L. Millinder Jr. Security & SAN Systems Specialist -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Morgan Sent: Tuesday, August 17, 2004 6:54 AM To: [EMAIL PROTECTED] Subject: Any issues with WinXP SP2? I'm mainly thinking about the data execution prevention (DEP) feature. As far as I can make out it's all okay. Scott Morgan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Any issues with WinXP SP2?
Know where I can get the url:// for sp2? Lucius L. Millinder Jr. Security & SAN Systems Specialist -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Morgan Sent: Tuesday, August 17, 2004 6:54 AM To: [EMAIL PROTECTED] Subject: Any issues with WinXP SP2? I'm mainly thinking about the data execution prevention (DEP) feature. As far as I can make out it's all okay. Scott Morgan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Any issues with WinXP SP2?
I'm mainly thinking about the data execution prevention (DEP) feature. As far as I can make out it's all okay. Scott Morgan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Windows OpenSSL: Where to put the config file?
Greetings I'm working (on Windows) with the Apache SSL software, Also, with the OpenSSL for Windows (the Apache just bundles that in) I cannot find where the configuration file is - all the documentation seems to reference the Linux filesystem. Could someone please tell me where to put the config file, if it is already there I haven't found it! Could you send me a simple example, I'd like to make a few simple test certificates and install them in the Apache server and IE browser to get a feel for how it works. thank you!
Re: OpenSSL 0.9.7d WIN - IA64 port
In message <[EMAIL PROTECTED]> on Mon, 16 Aug 2004 17:41:29 +, [EMAIL PROTECTED] said: d.mclellan> Hi: I'm now investigating build OpenSSL -0.9.7d on a WIN d.mclellan> IA64 architecture machine. Has anyone had any experience d.mclellan> with this, or is there any active work in progress to d.mclellan> support WIN IA64 platforms? d.mclellan> Thanks very much. The absolutely biggest problem is that size_t is 64 bits while unsigned long is 32 bits. This leads to a ton of warnings/errors concerning size differences when OpenSSL uses unsigned long, unsigned int or int for things that should really be size_t. There's a branch where work on this is done, although very slowly (at least for the moment). If I didn't have to spend time chasing down finances to survive, that would be one of those things I'd work on, as it also concerns a favorite O/S of mine, VMS. - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AW: Generating Test Certificates
You have to specify a config file using the -config parameter of openssl. Even as "ca" "req" needs a configuration file to get specific information like keylength or the distinguishedName structure. My experience is that openssl does not find the default config file so you have to set either the environment variable (don't know the correct name) or you have to take the parameter "-config ". Regards > -Ursprüngliche Nachricht- > Von: Richard M. Hartman [mailto:[EMAIL PROTECTED] > Gesendet: Montag, 16. August 2004 22:27 > An: [EMAIL PROTECTED] > Betreff: Generating Test Certificates > > > > The HOWTO\certificates.txt says to generate the self-signed cert > with: > openssl req -new -x509 -key privkey.pem -out cacert.pem > -days 1095 > > I tried with both an RSA key and a DSA key. They each fail > in slightly > different ways, but both seem to be trying to get something from the > environment. > > C:\work\3rdparty\OpenSSL\openssl-0.9.7d>out32\openssl req -new -x509 > -key myrsakey.pem -out myrsacert.pem -days 1095 > Unable to load config info > unable to find 'distinguished_name' in config > problems making Certificate Request > 2660:error:0E06D06A:configuration file > routines:NCONF_get_string:no conf > or environment variable:.\crypto\conf\conf_lib.c:325: > > C:\work\3rdparty\OpenSSL\openssl-0.9.7d>out32\openssl req -new -x509 > -key mydsakey.pem -out mydsasert.pem -days 1095 > Unable to load config info > Loading 'screen' into random state - done > unable to find 'distinguished_name' in config > problems making Certificate Request > 1996:error:0E06D06A:configuration file > routines:NCONF_get_string:no conf > or environment variable:.\crypto\conf\conf_lib.c:325: > > I had no problems generating the keys with the command in > HOWTO\keys.txt. > > What is it that is missing from the environment? > > > As long as I'm at it ... what do I do with the > certificates once I have them? I am trying to > enable SSL communications on a Windows 2000 machine. > > -- > -Richard M. Hartman > [EMAIL PROTECTED] > > 186,000 mi/sec: not just a good idea, it's the LAW! > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]